1. Field of the Invention
The present invention relates to a method of updating intrusion detection rules, and more particularly, to a method of dynamically updating intrusion detection rules through a network link data.
2. Related Art
An intrusion detection system (IDS) is an important technology for protecting data in computer systems from being stolen and protecting the computer systems from malicious damages. Through the intrusion detection system together with the firewalls, malicious intrusions from external or internal networks can be efficiently prevented. Snort, as the important well-known open source software in the IDS technical field, filters network intrusion actions through using built-in intrusion detection rules, based on detection of signatures and communication protocols. As the continuous changing of the intrusion actions, the intrusion detection rules may also be changed and updated, or appropriate intrusion detection rules are designed depending upon requirement of computer hosts in the LAN. The intrusion detection rule of the Snort system adopts a lightweight script language, and most of the intrusion detection rules are represented in a single line, or described by using the symbol “/” to separate the rule descriptions in multiple lines. Each intrusion detection rule includes a header, a communication protocol, an IP address, a connection port number, and an advanced rules file. For example, the rule “alert TCP any→192.168.1.0/24 111” represents that, if any host attempts to access a network segment the same as the website 192.168.1.0 through TCP protocol, i.e., the Class C network segment of the website 192.168.1.0, and to be connected to a connection with a port number as 111, once the Snort system host receives the network packet, a warn signal is generated immediately. The Snort administrator can not only add/remove an intrusion detection rule through inputting an instruction, but also can directly download a rules document and duplicate it into a designated directory and then restart the Snort system, so as to load new intrusion detection rules.
However, regardless of the method of updating intrusion detection rules by gradually typing in rule instructions, or the method of updating intrusion detection rules by loading rule documents, both of them cannot dynamically update the intrusion detection rules. Instead, the above two methods need uninstall/interrupt the defense means of the original Snort system, and then load new intrusion detection rules. As for the segment that may possibly suffer from network intrusions at anytime anywhere, the longer time is required for interrupting and uninstalling the Snort system, the more easily the internal computer host suffers from malicious intrusions, and as a result, the network security risks may be generated easily. In addition, as for network administrators, if there is a plurality of Snort system hosts in the network (or a plurality of network cards installed with an intrusion detection rules database or storage), the operation of updating the intrusion detection rules must be performed on the hosts (or network cards) one by one, thereby prolonging the updating operation time. What's worse, if the Snort system is burned on an embedded chip of a network card, the chip must be detached to perform the burning procedure, so as to write the updated intrusion detection rules into the chip. Those methods of updating the intrusion rules are all time-consuming and labor-consuming.